Deploy the SWG Umbrella Chromebook Client
The SWG Umbrella Chromebook client provides Umbrella's secure web gateway (SWG) protections to Chromebook users. This deployment results in your Chromebooks being listed as identities in the Web policy. Your Chromebooks are immediately protected by the Web policy's default ruleset and rules. At any time, you can add your own rulesets and rules to the Web policy and customize your Chromebooks' protections. For more information, see Add a Chromebook Specific Web Policy Ruleset.
The JSON file downloaded from Umbrella during this procedure contains information required by the SWG Umbrella Chromebook client so that it can operate with Umbrella. During the deployment, the Chromebook extension is added to the Google Admin console. The JSON file is uploaded into the extension configuration from Google Admin console. After the client is installed in a Chromebook, allow a few hours for Chromebook traffic to begin appearing in your Umbrella dashboard.
Prerequisites
- A G Suite admin account is required. Integrating the G Suite Identity Service is optional. For more information, see Integrate the G Suite Identity Service.
- Umbrella login credentials
- Chromebooks with ChromeOS v55 or newer
- Chromebooks are not in Kiosk mode
- Port 8888 (TCP) accessible to 146.112.0.0/16, 151.186.0.0/16, and 155.190.0.0/16
- https://registration.polaris.qq.opendns.com is accessible
- https://sync.hydra.opendns.com is accessible
- Chromebooks must be connected and logged in
- Cisco Umbrella root certificate or a certificate signed by your CA installed — To avoid certificate errors when accessing an Umbrella block page, you must install either the Cisco Umbrella root certificate or a certificate signed by your CA on all your Chromebooks. See Manage Certificates.
For more information about how to push the Umbrella root certificate from Google's admin console to all of your Chromebook devices, see Set up TLS (or SSL) inspection on Chrome devices. - In the G Suite Admin console, disallow the incognito window. From the Incognito mode menu, choose Disallow incognito mode. For more information, search for Incognito Mode in Chrome Enterprise and Education Help.
- Optionally, configure the DNS servers on your network to forward DNS traffic to Cisco Umbrella. This configuration provides the most accurate selection of SWG Data Center locations. For more information, see Point your DNS to Cisco Umbrella.
Chromebook Time Sync
You must ensure that your Chromebooks are synced to the local timezone. Configure the timezone of your Google Admin console to auto sync with your Chromebooks.
- In the Google Admin console navigate to Settings > Device.
- Scroll to the Other Settings area.
- From the Timezone > System Timezone Automatic Detection pulldown menu, choose Always Send WiFI access points to server while resolving timezone.
You cannot deploy the SWG Umbrella Chromebook client directly to your Chromebooks. You must deploy from the Google Admin console.
- Navigate to Deployments > Core Identities > Chromebook Users and click Configure.
- Click Download and download the Chromebook configuration file.
Note: Save this file to a known location. The regToken value listed in this file is required during the installation of the Cisco Umbrella Chromebook client application.
{"failClose":{"Value":false},"failOpenRetryInterval":{"Value":5},"googleDirectoryService":{"Value":false},"organizationInfo":{"Value":{"organizationId":<ORG-ID>,”productId":3,"regToken”:”<REG-TOKEN>”}},”publicSession":{"Value":false},"vaIPs":{"Value":[}}
- Log into the Google Admin console.
- Navigate to Devices > Chrome > Apps & Extensions.
- From Apps & Extensions, navigate to Users & browsers > Organizational Units.
- Expand Organizational Units and choose the organization you want to deploy the SWG Umbrella Chromebook client into.
- Click the + (Expand) icon and choose Add from Chrome Web Store.
- In the Chrome Web Store, navigate to Extensions and then Search for the SWG Umbrella Chromebook client extension using the SWG Umbrella Chromebook Client ID jgnjaoilojahgagddnkeankieagghabk.
- Click Select.
The extension is added to the selected organization unit.
- Choose Force Install and then click Save .
The SWG Umbrella Chromebook client extension is installed. Force Install ensures that Chromebook users in the selected Organization Unit cannot remove or disable the extension.
- Copy the configuration file that you downloaded during Step 1: Install the SWG Umbrella Chromebook Client Extension and paste it into the Policy for Extensions section.
- Click Save.
The SWG Umbrella Chromebook client is installed and the configuration file uploaded.
Each Chromebook when synced to Umbrella is identified and listed by the email used to log into that Chromebook.
It can take Google upwards of eight hours to push the SWG Umbrella Chromebook client to all of your Chromebooks. After the client is installed in a Chromebook, allow a few hours for Chromebook traffic to begin appearing in your Umbrella dashboard.
Note: Chromebooks must be connected and logged in.
- Apply the Web policy's ruleset to your organization's Chromebooks. For more information, see Add a Chromebook Specific Web Policy Ruleset.
Note: After you successfully deploy the SWG Umbrella Chromebook client to your Chromebooks, you can view the current state of Umbrella's protection of the Chromebook through a small icon. For more information, see SWG Umbrella Chromebook Client Protection Status.
Enable Trusted Network Detection < Deploy the SWG Umbrella Chromebook Client > Add a Chromebook Specific Web Policy Ruleset
Updated about 2 months ago